377 Chapter 7 Solutions in this chapter: ■ Deploying the Edge Transport Server Role ■ Enabling Name Resolution Lookups between the Edge Transport and Hub Transport Servers Suffi x ■ Installing the ADAM Component ■ Verifying That the EdgeSync Service Works as Expected ■ Manually Confi guring the Required Connectors ■ Pointing Your MX Records to the Edge Transport Server ■ Deploying Multiple Edge Transport Servers in the Organization ˛ Summary ˛ Solutions Fast Track ˛ Frequently Asked Questions Managing the Edge Transport Server 378 Chapter 7 • Managing the Edge Transport Server Introduction The Exchange Product Group developed the edge transport server to give enterprises powerful out-of-the-box protection against spam without needing to go out and invest in a third-party solution. The messaging hygiene features in the Edge Transport server role are agent based and consists of multiple fi lters that are frequently updated. Although the primary role of the edge transport server is to route mail and do message hygiene, it also includes features that will let you do other things, such as rewriting SMTP addresses, confi guring transport rules, and enabling journaling and associated disclaimers. After reading this chapter you will have learned what the edge transport server is all about; you will be aware of how an edge transport server is properly deployed as well as know how to confi gure most of the features available with this server role. NOTE Exchange 2007 also includes a new feature called Domain Security, which provides a set of functionality that offers a low-cost alternative to S/MIME or other message- level security solutions. The purpose of the Domain Security feature set is to provide administrators a way to manage secured message paths over the Internet with business partners. Deploying the Edge Transport Server Role The Edge Transport server role in Exchange Server 2007 is meant to be installed in your organization’s perimeter network (also called a demilitarized zone [DMZ] or screened subnet). This server role supports Simple Mail Transfer Protocol (SMTP) routing (more specifi cally, SMTP-relay and Smart Host functionality) and provides several antispam fi ltering agents and support for antivirus extensibility. The edge transport server is the only server role that shouldn’t be part of your Active Directory directory service forest; it should instead be installed on a stand-alone server in a workgroup as shown in Figure 7.1. Although the Edge Transport server role is isolated from Active Directory, it’s still able to communicate with the Active Directory using a collection of processes known as EdgeSync, which runs on the hub transport server. Since it is part of the Active Directory, the Hub Transport server has access to the necessary Active Directory data. The edge transport server uses Active Directory Application Mode (ADAM) to store the required Active Directory data, which is data such as accepted domains, recipients, safe senders, send connectors, and a hub transport server list (used to generate dynamic connectors so that you don’t need to create them manually). Managing the Edge Transport Server • Chapter 7 379 SOME INDEPENDENT ADVICE Although the Edge Transport server role has been designed to provide improved antispam and antivirus protection for an Exchange 2007 environment, you can deploy this server role in an existing Exchange 2003 organization as well. Since you install the Edge Transport server role on a stand-alone machine in the perimeter network (the DMZ or screened subnet), this is even a relatively simple task. Even though you would be able to use the Edge Transport server role as a smart host or an SMTP relay server in an Exchange 2003 environment, you will not be able to replicate confi guration and recipient data from Active Directory to ADAM, because this requires an Exchange 2007 hub transport server. This doesn’t hinder you from using the fi ltering agent that doesn’t rely on the EdgeSync service. If you use the Intelligent Message Filter (IMF) only in your Exchange 2003 environment, deploying an edge transport server in the perimeter network (the DMZ or screened subnet) would make sense because it would provide an additional layer of antispam protection. You could also install ForeFront for Exchange Server 2007 on the edge transport server so that you could fi lter out antivirus messages as well. Figure 7.1 A Typical Edge Transport Server Scenario Firewall Perimeter Network Firewall SMTP Server SMTP Server Internal Network Internet Edge Transport Client Access Hub Transport Mailbox It’s important to understand that the EdgeSync replication is encrypted by default and that the replication is a one-way process from Active Directory to ADAM. This means that no data is replicated from ADAM to AD. The fi rst time that EdgeSync replication occurs, the ADAM store is populated, and after that, data from Active Directory is replicated at fi xed intervals. You can specify the intervals or use the default settings, which, for confi guration data, is every hour and every fourth hour for recipient data. 380 Chapter 7 • Managing the Edge Transport Server The edge transport server has its own Jet database to process the delivery of inbound as well as outbound e-mail messages. When inbound e-mail messages are stored in the Jet database and are ready for delivery, the edge transport server looks up the respective recipient(s) in the ADAM store, which, as mentioned, among other things contains recipient data replicated from the Active Directory using the EdgeSync service. In a scenario in which you have deployed multiple edge transport servers in your organization, the edge transport servers use DNS round robin (which is supported by most DNS servers today) to network and load-balance network traffi c between the servers. Prerequisites The Exchange 2007 Edge Transport server role can be installed on either a Windows 2003 Server R2 Standard Edition or Windows 2003 Server SP1 Standard Edition. As already mentioned, it’s important that you install the Edge Transport server role on a standalone machine outside the Active Directory forest, since installing this server role on a server that is member of Active Directory isn’t supported, nor it would be a good idea, since doing so would introduce a major security risk. Since the Edge Transport server should be deployed in the perimeter network (the DMZ or screened subnet), it’s recommended that you use a multihomed setup, meaning that the server has two network adapters: one connected to the perimeter network and one to the internal network. This will give you the option of specifying the ports and/or services that should be allowed on each adapter. For example, we want to allow LDAP replication from only the internal network when we show you how to confi gure the Security Confi guration Wizard (SCW) later in this chapter. But the choice is yours, really, since an edge transport server will work just fi ne using a single network adapter as well, albeit in a less secure way. Creating a DNS Suffi x Before you can install the Exchange 2007 Edge Transport server role on the server, you should make sure that you have created a DNS suffi x, because you cannot change the server name once the server role has been installed. In addition, the readiness check will fail if a DNS suffi x cannot be located. Creating the DNS suffi x is a very simple process, performed via the following steps: 1. Log onto the edge transport server with the Administrator account or another account with administrator permissions. 2. Click Start, right-click My Computer, and select Properties in the context menu. 3. Now click the Computer Name tab and then click the Change button (see Figure 7.2). Managing the Edge Transport Server • Chapter 7 381 Figure 7.2 The Computer Name Tab 4. Click the More button. 5. Now enter the respective DNS suffi x (see Figure 7.3) and then click OK four times. . route mail and do message hygiene, it also includes features that will let you do other things, such as rewriting SMTP addresses, confi guring transport rules, and enabling journaling and associated. Transfer Protocol (SMTP) routing (more specifi cally, SMTP-relay and Smart Host functionality) and provides several antispam fi ltering agents and support for antivirus extensibility. The edge transport. against spam without needing to go out and invest in a third-party solution. The messaging hygiene features in the Edge Transport server role are agent based and consists of multiple fi lters that